security-review-3
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (CRITICAL): The skill is configured to fetch fresh instructions from a remote, untrusted URL (ZackKorman/skills). Because these instructions are followed by the agent, this is a direct injection vector for malicious commands.
- [REMOTE_CODE_EXECUTION] (CRITICAL): The agent is instructed to fetch and follow guidelines from an external source at runtime. In the context of LLM agents, remote instruction fetching from untrusted sources is equivalent to RCE.
- [COMMAND_EXECUTION] (HIGH): The skill explicitly requests the execution of shell commands like
npm audit,govulncheck,grep, andtrivy. In combination with the remote instruction fetch, this provides an attacker with the necessary capabilities to perform data exfiltration or system modification. - [PROMPT_INJECTION] (MEDIUM): The description contains a directive to 'ALWAYS run this at the end of each task,' which is a behavior-modifying instruction designed to force the agent into a specific, potentially infinite or intrusive, loop.
- [INDIRECT_PROMPT_INJECTION] (HIGH): Evidence Chain: 1. Ingestion Point: Guidelines fetched from raw.githubusercontent.com/ZackKorman. 2. Boundary Markers: None present to distinguish fetched instructions from system prompts. 3. Capability Inventory: Subprocess calls via npm, grep, and specialized security tools. 4. Sanitization: None; the agent is told to 'Do everything' the fetched content says.
Recommendations
- AI detected serious security threats
Audit Metadata